Disguised as a Game App, BrainTest Malware Could Affect 1 Million Users
A new malware has been detected in the Google Play Store packaged within an Android game called BrainTest, possibly affecting 1 million users.
Disguised as a game application, Check Point researchers have detected a malicious application that was published twice in the Google Play Store. Research team explains that the app was removed from the Store on August 24 for the first time and then on September 15, once Check Point reached out to Google. According to Google Play statistics shared by the same group, each instance has seen between 100,000 and 500,000 downloads, “reaching an aggregated infection rate of between 200,000 and 1 million users.”
To bypass the automatic Google Play protection mechanism, BrainTest application when started checks if it is executed on one of the Google servers. If so, the app doesn’t engage in malicious activities. However, if it’s not being run on a Google IP, and Google Bouncer is thus not detected, the application starts a time bomb which starts downloading malware only after 20 seconds which will run every 2 hours. BrainTest also has reflection loaded methods that check if the device is rooted. If not, the malicious app then starts downloading a pack of exploits from the server that runs them until root is achieved.
BrainTest reportedly uses four privilege escalation exploits that help it gain root access on a device. It can then install persistent malware as a system application. It also has the ability to reinstall its components if they are ever removed, thanks to an anti-uninstall watchdog. Check Point explains that BrainTest “installs an additional application with the same functionality and these two applications monitor the removal of each other. If one of the applications is deleted, the second application downloads and re-installs the removed one.” Check Point added that the only way a user could get rid of this malware is by re-flashing their device with an official firmware.
The malware was first detected on a Nexus 5 smartphone and even after multiple tries at uninstalling the app, it kept reappearing. Security firm believes that the malware is capable of facilitating various cyber criminal goals, including installation of additional apps on the infected devices, download and run any code an attacker may want to, and possibly to deploy payload to steal user credentials.
Google claimed earlier this year that the number of malicious applications available in the Google Play Store is halved this year. Adrian Ludwig, Lead Engineer for Android Security, had shared back in April that “the overall worldwide rate of Potentially Harmful Application (PHA) installs decreased by nearly 50% between Q1 and Q4 2014.” However, as we keep witnessing, these malicious apps continue to bypass Google Bouncer using various techniques affecting millions of users.